Re: [stable] Linux 2.6.25.10

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: Linus Torvalds <torvalds@...>

Cc: Greg KH <greg@...>, Andrew Morton <akpm@...>, <linux-kernel@...>, <stable@...>

Date: Tuesday, July 15, 2008 - 5:18 pm

On 15 Jul 2008 at 13:42, Linus Torvalds wrote:

quoted text> On Tue, 15 Jul 2008, pageexec@freemail.hu wrote:
> > 
> > i understand and i think noone expects that. in fact, i know how much
> > expertise and time it takes to determine that. but what happens when
> > you do figure out the security relevance of a bug during bug submission
> 
> The issue is that I think it's then _misleading_ to mark that kind of 
> commit specially, when I actually believe that it's in the minority.
> 
> If people think that they are safer for only applying (or upgrading to) 
> certain patches that are marked as being security-specific, they are 
> missing all the ones that weren't marked as such.

and how is that different from today's situation where they aren't told
at all? in other words, they already learned to live with that risk. if
you tell them about a security bug, they will build that knowledge into
their risk assessment process (which is what security is all about in
the end). anything you omit will skew their decision making process (in
particular, expose them to exploits if they fail to apply a fix because
they make a bad judgement call).

in other words, you should not be worrying about people not learning about
all security fixes, they already know it's not possible to provide such
information. however sharing your knowledge that you do have will *help*
them because 1. they can know for sure it's something important to apply
(no need to use their limited human resources to make that judgement),
2. they can spend more of their resources on analyzing the *other* unmarked
fixes. overall this can only improve everyone's security.

what you're afraid of is that people will take your 'we mark security
fixes we learn about' as 'we mark ALL security fixes that are such'. well,
make that very clear in a public document (Documentation/SecurityBugs is
a good place) and that's it, people will know you're doing a best effort
disclosure and not more.

cheers,
  PaX Team

--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Tue Jul 15, 4:18 pm)

Re: [stable] Linux 2.6.25.10, , (Tue Jul 15, 4:23 pm)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Tue Jul 15, 4:42 pm)

Re: [stable] Linux 2.6.25.10, , (Tue Jul 15, 5:18 pm)

Re: [stable] Linux 2.6.25.10, Rafael C. de Almeida, (Thu Jul 17, 3:19 am)

Re: [stable] Linux 2.6.25.10, , (Thu Jul 17, 3:59 am)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Tue Jul 15, 5:26 pm)

Re: [stable] Linux 2.6.25.10, , (Tue Jul 15, 6:08 pm)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Tue Jul 15, 7:28 pm)

Re: [stable] Linux 2.6.25.10, , (Tue Jul 15, 8:04 pm)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Tue Jul 15, 8:24 pm)

Re: [stable] Linux 2.6.25.10, , (Tue Jul 15, 8:56 pm)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Tue Jul 15, 9:08 pm)

Re: [stable] Linux 2.6.25.10, , (Tue Jul 15, 9:23 pm)

Re: [stable] Linux 2.6.25.10, Tiago Assumpcao, (Tue Jul 15, 8:00 pm)

Re: [stable] Linux 2.6.25.10, Theodore Tso, (Tue Jul 15, 9:08 pm)

Re: [stable] Linux 2.6.25.10, Tiago Assumpcao, (Tue Jul 15, 9:53 pm)

Re: [stable] Linux 2.6.25.10, Casey Schaufler, (Tue Jul 15, 11:27 pm)

Re: [stable] Linux 2.6.25.10, , (Wed Jul 16, 5:33 am)

Re: [stable] Linux 2.6.25.10, Theodore Tso, (Wed Jul 16, 9:21 am)

Re: [stable] Linux 2.6.25.10, , (Wed Jul 16, 11:16 am)

Re: [stable] Linux 2.6.25.10, Tiago Assumpcao, (Wed Jul 16, 12:13 am)

Re: [stable] Linux 2.6.25.10, Casey Schaufler, (Wed Jul 16, 1:26 am)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Wed Jul 16, 12:21 am)

Re: [stable] Linux 2.6.25.10, Tiago Assumpcao, (Wed Jul 16, 1:02 am)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Wed Jul 16, 1:13 am)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Tue Jul 15, 10:02 pm)

Re: [stable] Linux 2.6.25.10, Tiago Assumpcao, (Tue Jul 15, 10:36 pm)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Wed Jul 16, 12:07 am)

Re: [stable] Linux 2.6.25.10, Tiago Assumpcao, (Wed Jul 16, 12:16 am)

Re: [stable] Linux 2.6.25.10, , (Tue Jul 15, 9:30 pm)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Tue Jul 15, 8:16 pm)

Re: [stable] Linux 2.6.25.10, Tiago Assumpcao, (Tue Jul 15, 8:38 pm)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Tue Jul 15, 8:51 pm)

Re: [stable] Linux 2.6.25.10, Tiago Assumpcao, (Tue Jul 15, 9:10 pm)

Re: [stable] Linux 2.6.25.10, Greg KH, (Tue Jul 15, 11:13 pm)

Re: [stable] Linux 2.6.25.10, , (Wed Jul 16, 5:01 am)

Re: [stable] Linux 2.6.25.10, Greg KH, (Wed Jul 16, 10:43 am)

Re: [stable] Linux 2.6.25.10, , (Wed Jul 16, 11:43 am)

Re: [stable] Linux 2.6.25.10, Greg KH, (Wed Jul 16, 12:29 pm)

Re: [stable] Linux 2.6.25.10, , (Wed Jul 16, 1:25 pm)

Re: [stable] Linux 2.6.25.10, Mike Galbraith, (Wed Jul 16, 11:43 pm)

Re: [stable] Linux 2.6.25.10, Theodore Tso, (Wed Jul 16, 2:08 pm)

Re: [stable] Linux 2.6.25.10, , (Wed Jul 16, 3:09 pm)

Re: [stable] Linux 2.6.25.10, Gabor Gombas, (Wed Jul 16, 5:35 am)

Re: [stable] Linux 2.6.25.10, , (Wed Jul 16, 6:04 am)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Tue Jul 15, 9:41 pm)

Re: [stable] Linux 2.6.25.10, , (Wed Jul 16, 5:49 am)

Re: [stable] Linux 2.6.25.10, David Miller, (Wed Jul 16, 6:08 am)

Re: [stable] Linux 2.6.25.10, , (Wed Jul 16, 6:23 am)

Re: [stable] Linux 2.6.25.10, David Miller, (Wed Jul 16, 6:31 am)

Re: [stable] Linux 2.6.25.10, , (Wed Jul 16, 6:51 am)

Re: [stable] Linux 2.6.25.10, David Miller, (Wed Jul 16, 7:04 am)

Re: [stable] Linux 2.6.25.10, , (Wed Jul 16, 7:52 am)

Re: [stable] Linux 2.6.25.10, Tiago Assumpcao, (Tue Jul 15, 10:24 pm)

Re: [stable] Linux 2.6.25.10, Theodore Tso, (Tue Jul 15, 11:11 pm)


linux-kernel:
david	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Heiko Carstens	Re: -mm merge plans for 2.6.23 -- sys_fallocate
git:

linux-netdev:
David Miller	Re: [GIT]: Networking
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 05/37] dccp: Cleanup routines for feature negotiation
Lennert Buytenhek	[PATCH 16/39] mv643xx_eth: get rid of ETH_/ethernet_/eth_ prefixes
openbsd-misc:

Re: [stable] Linux 2.6.25.10

Online users